sshguard-users — User questions and answers, bugs, and general support

Re: [Sshguard-users] Is sshguard working?

[Kevin Z. <kev...@gm...>]

On 08/03/2015 19:22, li...@la... wrote:
> 02500 allow tcp from any to me dst-port 22

ipfw is a first-rule-wins firewall. Since SSHGuard adds rules for ipfw
around rule 50000 (at least using the current, crash-prone ipfw
backend), its rules are never matched. You'll need to adjust your
ruleset so that this particular rule has a lower number.

Best,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090

Re: [Sshguard-users] Is sshguard working?

[<li...@la...>]

‎I'm new to freebsd, so assume I am clueless and you are probably correct.
‎
Let me know if top posting is an issue. ‎

# ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01100 check-state
01200 allow tcp from me to any established
01300 allow tcp from me to any setup keep-state
01400 allow udp from me to any keep-state
01500 allow icmp from me to any keep-state
01600 allow ipv6-icmp from me to any keep-state
01700 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
01800 allow udp from any 67 to me dst-port 68 in
01900 allow udp from any 67 to 255.255.255.255 dst-port 68 in
02000 allow udp from fe80::/10 to me dst-port 546 in
02100 allow icmp from any to any icmptypes 8
02200 allow ipv6-icmp from any to any ip6 icmp6types 128,129
02300 allow icmp from any to any icmptypes 3,4,11
02400 allow ipv6-icmp from any to any ip6 icmp6types 3
02500 allow tcp from any to me dst-port 22
02600 allow tcp from any to me dst-port 443
02700 allow tcp from any to me dst-port 80
02800 allow tcp from any to me dst-port 500
02900 allow tcp from any to me dst-port 4500
65000 count ip from any to any
65100 allow log udp from any to any dst-port 500 keep-state
65200 allow log udp from any 500 to any keep-state
65300 allow log udp from any to any dst-port 4500 keep-state
65400 allow log udp from any 4500 to any keep-state
65500 deny { tcp or udp } from any to any dst-port 135-139,445 in
65500 deny { tcp or udp } from any to any dst-port 1026,1027 in
65500 deny { tcp or udp } from any to any dst-port 1433,1434 in
65500 deny ip from any to 255.255.255.255
65500 deny ip from any to 224.0.0.0/24 in
65500 deny udp from any to any dst-port 520 in
65500 deny tcp from any 80,443 to any dst-port 1024-65535 in
65500 deny log logamount 500 ip from any to any
65535 deny ip from any to any‎

  Original Message  
From: James Harris
Sent: Monday, August 3, 2015 3:15 PM
To: ssh...@li...
Reply To: ssh...@li...
Subject: Re: [Sshguard-users] Is sshguard working?

No I'm suggesting you look at the running firewall configuration to see if sshguard is adding rules for you.

I believe on freebsd that is 'ipfw list'

On Sun, Aug 2, 2015 at 9:58 PM, <li...@la...> wrote:
Would that be in rc.firewall? There isn't any comment regarding sshguard in that file.

From: James Harris
Sent: Saturday, August 1, 2015 11:29 AM
To: ssh...@li...
Reply To: ssh...@li...
Subject: Re: [Sshguard-users] Is sshguard working?

Have you checked the firewall rules? You should see the one sshguard added.

On Aug 1, 2015 10:50 AM, <li...@la...> wrote:
‎This is a sample of my auth.log or message log on freebsd using sshguard-ifpw. The user is blocked, but the attack keeps coming.
------------------


Aug 1 02:37:14 theranch sshd[56857]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:37:15 theranch last message repeated 2 times
Aug 1 02:37:16 theranch sshguard[55685]: Offender '218.87.111.110:4' scored 40 danger in 1 abuses (threshold 40) -> blacklisted.
Aug 1 02:37:16 theranch sshguard[55685]: Blocking 218.87.111.110:4 for >0secs: 40 danger in 3 attacks over 1 seconds (all: 40d in 1 abuses over 1s).
Aug 1 02:37:38 theranch sshd[56863]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:37:39 theranch last message repeated 2 times
Aug 1 02:37:41 theranch sshd[56868]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:37:43 theranch last message repeated 2 times
Aug 1 02:37:46 theranch sshd[56873]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:37:48 theranch last message repeated 2 times
Aug 1 02:37:50 theranch sshd[56878]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:37:51 theranch last message repeated 2 times
Aug 1 02:37:54 theranch sshd[56883]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:37:55 theranch last message repeated 2 times
Aug 1 02:37:57 theranch sshd[56888]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:37:58 theranch last message repeated 2 times
Aug 1 02:38:00 theranch sshd[56893]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:38:01 theranch last message repeated 2 times
Aug 1 02:38:18 theranch sshd[56899]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:38:19 theranch last message repeated 2 times
Aug 1 02:38:27 theranch sshd[56904]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:38:27 theranch last message repeated 2 times
Aug 1 02:38:30 theranch sshd[56909]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:38:31 theranch last message repeated 2 times
Aug 1 02:38:33 theranch sshd[56914]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:38:34 theranch last message repeated 2 times
Aug 1 02:38:38 theranch sshd[56919]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:38:39 theranch last message repeated 2 times
Aug 1 02:38:41 theranch sshd[56924]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:38:42 theranch last message repeated 2 times
Aug 1 02:38:46 theranch sshd[56929]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:38:47 theranch last message repeated 2 times
Aug 1 02:38:49 theranch sshd[56934]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:38:50 theranch last message repeated 2 times
Aug 1 02:39:02 theranch sshd[56939]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:39:03 theranch last message repeated 2 times
Aug 1 02:39:05 theranch sshd[56944]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:39:06 theranch last message repeated 2 times
Aug 1 02:39:20 theranch sshd[56949]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:39:21 theranch last message repeated 2 times
Aug 1 02:39:43 theranch sshd[56956]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:39:44 theranch last message repeated 2 times
Aug 1 02:39:51 theranch sshd[56961]: error: PAM: authentication error for root from 218.87.111.110
Aug 1 02:39:52 theranch last message repeated 2 times

------------------------------------------------------------------------------

_______________________________________________
Sshguard-users mailing list
Ssh...@li...
https://lists.sourceforge.net/lists/listinfo/sshguard-users



------------------------------------------------------------------------------

_______________________________________________
Sshguard-users mailing list
Ssh...@li...
https://lists.sourceforge.net/lists/listinfo/sshguard-users




-- 
James Harris
Software Engineer
jam...@gm...

Re: [Sshguard-users] Is sshguard working?

[James H. <jam...@gm...>]

No I'm suggesting you look at the running firewall configuration to see if
sshguard is adding rules for you.

I believe on freebsd that is 'ipfw list'

On Sun, Aug 2, 2015 at 9:58 PM, <li...@la...> wrote:

> Would that be in rc.firewall? There isn't any comment regarding sshguard
> in that file.
>
> *From: *James Harris
> *Sent: *Saturday, August 1, 2015 11:29 AM
> *To: *ssh...@li...
> *Reply To: *ssh...@li...
> *Subject: *Re: [Sshguard-users] Is sshguard working?
>
> Have you checked the firewall rules? You should see the one sshguard added.
> On Aug 1, 2015 10:50 AM, <li...@la...> wrote:
>
>> ‎This is a sample of my auth.log or message log on freebsd using
>> sshguard-ifpw. The user is blocked, but the attack keeps coming.
>> ------------------
>>
>>
>> Aug 1 02:37:14 theranch sshd[56857]: error: PAM: authentication error for
>> root from 218.87.111.110
>> Aug 1 02:37:15 theranch last message repeated 2 times
>> Aug 1 02:37:16 theranch sshguard[55685]: Offender '218.87.111.110:4'
>> scored 40 danger in 1 abuses (threshold 40) -> blacklisted.
>> Aug 1 02:37:16 theranch sshguard[55685]: Blocking 218.87.111.110:4 for
>> >0secs: 40 danger in 3 attacks over 1 seconds (all: 40d in 1 abuses over
>> 1s).
>> Aug 1 02:37:38 theranch sshd[56863]: error: PAM: authentication error for
>> root from 218.87.111.110
>> Aug 1 02:37:39 theranch last message repeated 2 times
>> Aug 1 02:37:41 theranch sshd[56868]: error: PAM: authentication error for
>> root from 218.87.111.110
>> Aug 1 02:37:43 theranch last message repeated 2 times
>> Aug 1 02:37:46 theranch sshd[56873]: error: PAM: authentication error for
>> root from 218.87.111.110
>> Aug 1 02:37:48 theranch last message repeated 2 times
>> Aug 1 02:37:50 theranch sshd[56878]: error: PAM: authentication error for
>> root from 218.87.111.110
>> Aug 1 02:37:51 theranch last message repeated 2 times
>> Aug 1 02:37:54 theranch sshd[56883]: error: PAM: authentication error for
>> root from 218.87.111.110
>> Aug 1 02:37:55 theranch last message repeated 2 times
>> Aug 1 02:37:57 theranch sshd[56888]: error: PAM: authentication error for
>> root from 218.87.111.110
>> Aug 1 02:37:58 theranch last message repeated 2 times
>> Aug 1 02:38:00 theranch sshd[56893]: error: PAM: authentication error for
>> root from 218.87.111.110
>> Aug 1 02:38:01 theranch last message repeated 2 times
>> Aug 1 02:38:18 theranch sshd[56899]: error: PAM: authentication error for
>> root from 218.87.111.110
>> Aug 1 02:38:19 theranch last message repeated 2 times
>> Aug 1 02:38:27 theranch sshd[56904]: error: PAM: authentication error for
>> root from 218.87.111.110
>> Aug 1 02:38:27 theranch last message repeated 2 times
>> Aug 1 02:38:30 theranch sshd[56909]: error: PAM: authentication error for
>> root from 218.87.111.110
>> Aug 1 02:38:31 theranch last message repeated 2 times
>> Aug 1 02:38:33 theranch sshd[56914]: error: PAM: authentication error for
>> root from 218.87.111.110
>> Aug 1 02:38:34 theranch last message repeated 2 times
>> Aug 1 02:38:38 theranch sshd[56919]: error: PAM: authentication error for
>> root from 218.87.111.110
>> Aug 1 02:38:39 theranch last message repeated 2 times
>> Aug 1 02:38:41 theranch sshd[56924]: error: PAM: authentication error for
>> root from 218.87.111.110
>> Aug 1 02:38:42 theranch last message repeated 2 times
>> Aug 1 02:38:46 theranch sshd[56929]: error: PAM: authentication error for
>> root from 218.87.111.110
>> Aug 1 02:38:47 theranch last message repeated 2 times
>> Aug 1 02:38:49 theranch sshd[56934]: error: PAM: authentication error for
>> root from 218.87.111.110
>> Aug 1 02:38:50 theranch last message repeated 2 times
>> Aug 1 02:39:02 theranch sshd[56939]: error: PAM: authentication error for
>> root from 218.87.111.110
>> Aug 1 02:39:03 theranch last message repeated 2 times
>> Aug 1 02:39:05 theranch sshd[56944]: error: PAM: authentication error for
>> root from 218.87.111.110
>> Aug 1 02:39:06 theranch last message repeated 2 times
>> Aug 1 02:39:20 theranch sshd[56949]: error: PAM: authentication error for
>> root from 218.87.111.110
>> Aug 1 02:39:21 theranch last message repeated 2 times
>> Aug 1 02:39:43 theranch sshd[56956]: error: PAM: authentication error for
>> root from 218.87.111.110
>> Aug 1 02:39:44 theranch last message repeated 2 times
>> Aug 1 02:39:51 theranch sshd[56961]: error: PAM: authentication error for
>> root from 218.87.111.110
>> Aug 1 02:39:52 theranch last message repeated 2 times
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>


-- 
James Harris
Software Engineer
jam...@gm...

Re: [Sshguard-users] SSHGuard 1.6.1 release announcement

[Willem J. W. <wj...@di...>]

On 1-8-2015 03:07, Kevin Zheng wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Greetings,
>
> I am pleased to announce the release of SSHGuard 1.6.1 [1]. This
> release is primarily a bugfix release that fixes a few late-breaking
> issues from 1.6.0 while incorporating a few feature improvements. This
> release was slightly delayed by a recent SourceForge outage.
>
> Changes in this release include:
>
> - - Accept "Received disconnect" with optional prefix
> - - Add support for socklog entries
> - - Fix 'ipfw-rules-range' option in configure script
> - - Fix build for 'ipfw' and 'hosts' backends
> - - Fix integer comparisons of different types
> - - Match attacks when syslog debugging is enabled
>
> Many thanks to the contributors who reported issues or sent in patches
> to fix them. Special thanks to the FreeBSD community for reporting and
> fixing a number of problems amended in this release.
>
> As usual, please report any bugs, build failures, or other issues to
> the mailing list or the Bitbucket tracker [2].

Hi,

I added some code on FreeBSD to libssh to make some errors actually log 
the the ip-number, because this is usualy abuse as well....

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202055

And it changes the log like:
fatal: Read from socket failed: Connection reset by peer [preauth]

Which is rather useless for tools like sshguard and/or fail2ban

But this patch changes this info to:
Aug  2 19:37:32 zfs sshd[19444]: Read from socket failed: 218.2.22.36 
[preauth]
Aug  2 19:37:32 zfs sshd[19444]:fatal: Read from socket failed: 
Connection reset by peer [preauth]

But then again this needs to be picked upt by sshguard with an extra 
parser rule...

--WjW

patch:
Index: crypto/openssh/packet.c
===================================================================
--- crypto/openssh/packet.c     (revision 286222)
+++ crypto/openssh/packet.c     (working copy)
@@ -1128,8 +1128,10 @@
                         logit("Connection closed by %.200s", 
get_remote_ipaddr());
                         cleanup_exit(255);
                 }
-               if (len < 0)
+               if (len < 0) {
+                       logit("Read from socket failed: %.200s", 
get_remote_ipaddr());
                         fatal("Read from socket failed: %.100s", 
strerror(errno));
+               }
                 /* Append it to the buffer. */
                 packet_process_incoming(buf, len);
         }

Re: [Sshguard-users] Is sshguard working?

[<li...@la...>]

<html><head></head><body lang="en-US" style="background-color: rgb(255, 255, 255); line-height: initial;">                                                                                      <div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);">Would that be in rc.firewall? There isn't any comment regarding sshguard in that file.</div>                                                                                                                                     <div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"><br style="display:initial"></div>                                                                                                                                                                                                   <div style="font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"></div>                                                                                                                                                                                  <table width="100%" style="background-color:white;border-spacing:0px;"> <tbody><tr><td colspan="2" style="font-size: initial; text-align: initial; background-color: rgb(255, 255, 255);">                           <div style="border-style: solid none none; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding: 3pt 0in 0in; font-family: Tahoma, 'BB Alpha Sans', 'Slate Pro'; font-size: 10pt;">  <div><b>From: </b>James Harris</div><div><b>Sent: </b>Saturday, August 1, 2015 11:29 AM</div><div><b>To: </b>ssh...@li...</div><div><b>Reply To: </b>ssh...@li...</div><div><b>Subject: </b>Re: [Sshguard-users] Is sshguard working?</div></div></td></tr></tbody></table><div style="border-style: solid none none; border-top-color: rgb(186, 188, 209); border-top-width: 1pt; font-size: initial; text-align: initial; background-color: rgb(255, 255, 255);"></div><br><div id="_originalContent" style=""><p dir="ltr">Have you checked the firewall rules? You should see the one sshguard added.</p>
<div class="gmail_quote">On Aug 1, 2015 10:50 AM,  &lt;<a href="mailto:li...@la...">li...@la...</a>&gt; wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">  <div lang="en-US"><div>‎This is a sample of my auth.log or message log on freebsd using sshguard-ifpw. The user is blocked, but the attack keeps coming.</div><div>------------------</div><div><br></div><div><br></div><div></div><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:37:14 theranch sshd[56857]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:37:15 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:37:16 theranch sshguard[55685]: Offender '<a href="http://218.87.111.110:4" target="_blank">218.87.111.110:4</a>' scored 40 danger in 1 abuses (threshold 40) -&gt; blacklisted.</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:37:16 theranch sshguard[55685]: Blocking <a href="http://218.87.111.110:4" target="_blank">218.87.111.110:4</a> for &gt;0secs: 40 danger in 3 attacks over 1 seconds (all: 40d in 1 abuses over 1s).</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:37:38 theranch sshd[56863]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:37:39 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:37:41 theranch sshd[56868]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:37:43 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:37:46 theranch sshd[56873]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:37:48 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:37:50 theranch sshd[56878]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:37:51 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:37:54 theranch sshd[56883]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:37:55 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:37:57 theranch sshd[56888]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:37:58 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:38:00 theranch sshd[56893]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:38:01 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:38:18 theranch sshd[56899]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:38:19 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:38:27 theranch sshd[56904]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:38:27 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:38:30 theranch sshd[56909]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:38:31 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:38:33 theranch sshd[56914]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:38:34 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:38:38 theranch sshd[56919]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:38:39 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:38:41 theranch sshd[56924]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:38:42 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:38:46 theranch sshd[56929]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:38:47 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:38:49 theranch sshd[56934]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:38:50 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:39:02 theranch sshd[56939]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:39:03 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:39:05 theranch sshd[56944]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:39:06 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:39:20 theranch sshd[56949]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:39:21 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:39:43 theranch sshd[56956]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:39:44 theranch last message repeated 2 times</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:39:51 theranch sshd[56961]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap"><span style="color:rgb(0,0,0);font-family:sans-serif;white-space:pre-wrap">Aug  1 02:39:52 theranch last message repeated 2 times</span></div>

<br>------------------------------------------------------------------------------<br>
<br>_______________________________________________<br>
Sshguard-users mailing list<br>
<a href="mailto:Ssh...@li...">Ssh...@li...</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/sshguard-users" rel="noreferrer" target="_blank">https://lists.sourceforge.net/lists/listinfo/sshguard-users</a><br>
<br></blockquote></div>
<br><!--end of _originalContent --></div></body></html>

Re: [Sshguard-users] SSHGuard 1.6.1 release announcement

[Greg P. <gr...@n0...>]

For IPFW, did the change to use a table instead of individual rules make it in? I’ve installed 1.6.1 on FreeBSD from the ports (sshguard-ipfw) and its still creating individual rules, and also it crashes on start if the blacklist is larger than 4 lines or so.


Thanks,
Greg


> On Jul 31, 2015, at 20:07 , Kevin Zheng <kev...@gm...> wrote:
> 
> Signed PGP part
> Greetings,
> 
> I am pleased to announce the release of SSHGuard 1.6.1 [1]. This
> release is primarily a bugfix release that fixes a few late-breaking
> issues from 1.6.0 while incorporating a few feature improvements. This
> release was slightly delayed by a recent SourceForge outage.
> 
> Changes in this release include:
> 
> - Accept "Received disconnect" with optional prefix
> - Add support for socklog entries
> - Fix 'ipfw-rules-range' option in configure script
> - Fix build for 'ipfw' and 'hosts' backends
> - Fix integer comparisons of different types
> - Match attacks when syslog debugging is enabled
> 
> Many thanks to the contributors who reported issues or sent in patches
> to fix them. Special thanks to the FreeBSD community for reporting and
> fixing a number of problems amended in this release.
> 
> As usual, please report any bugs, build failures, or other issues to
> the mailing list or the Bitbucket tracker [2].
> 
> Very best,
> Kevin Zheng
> 
> [1] https://sourceforge.net/projects/sshguard/files/sshguard/1.6.1/
> [2] https://bitbucket.org/sshguard/sshguard/issues/
> 
> --
> Kevin Zheng
> kev...@gm... | ke...@kd... | PGP: 0xC22E1090
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] SSHGuard 1.6.1 release announcement

[Gregory P. <gpu...@ic...>]

For IPFW, did the change to use a table instead of individual rules make it in? I’ve installed 1.6.1 on FreeBSD from the ports (sshguard-ipfw) and its still creating individual rules, and also it crashes on start if the blacklist is larger than 4 lines or so.  


Thanks,
Greg




> On Jul 31, 2015, at 20:07 , Kevin Zheng <kev...@gm...> wrote:
> 
> Signed PGP part
> Greetings,
> 
> I am pleased to announce the release of SSHGuard 1.6.1 [1]. This
> release is primarily a bugfix release that fixes a few late-breaking
> issues from 1.6.0 while incorporating a few feature improvements. This
> release was slightly delayed by a recent SourceForge outage.
> 
> Changes in this release include:
> 
> - Accept "Received disconnect" with optional prefix
> - Add support for socklog entries
> - Fix 'ipfw-rules-range' option in configure script
> - Fix build for 'ipfw' and 'hosts' backends
> - Fix integer comparisons of different types
> - Match attacks when syslog debugging is enabled
> 
> Many thanks to the contributors who reported issues or sent in patches
> to fix them. Special thanks to the FreeBSD community for reporting and
> fixing a number of problems amended in this release.
> 
> As usual, please report any bugs, build failures, or other issues to
> the mailing list or the Bitbucket tracker [2].
> 
> Very best,
> Kevin Zheng
> 
> [1] https://sourceforge.net/projects/sshguard/files/sshguard/1.6.1/
> [2] https://bitbucket.org/sshguard/sshguard/issues/
> 
> --
> Kevin Zheng
> kev...@gm... | ke...@kd... | PGP: 0xC22E1090
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Re: [Sshguard-users] Is sshguard working?

[James H. <jam...@gm...>]

Have you checked the firewall rules? You should see the one sshguard added.
On Aug 1, 2015 10:50 AM, <li...@la...> wrote:

> ‎This is a sample of my auth.log or message log on freebsd using
> sshguard-ifpw. The user is blocked, but the attack keeps coming.
> ------------------
>
>
> Aug 1 02:37:14 theranch sshd[56857]: error: PAM: authentication error for
> root from 218.87.111.110
> Aug 1 02:37:15 theranch last message repeated 2 times
> Aug 1 02:37:16 theranch sshguard[55685]: Offender '218.87.111.110:4'
> scored 40 danger in 1 abuses (threshold 40) -> blacklisted.
> Aug 1 02:37:16 theranch sshguard[55685]: Blocking 218.87.111.110:4 for
> >0secs: 40 danger in 3 attacks over 1 seconds (all: 40d in 1 abuses over
> 1s).
> Aug 1 02:37:38 theranch sshd[56863]: error: PAM: authentication error for
> root from 218.87.111.110
> Aug 1 02:37:39 theranch last message repeated 2 times
> Aug 1 02:37:41 theranch sshd[56868]: error: PAM: authentication error for
> root from 218.87.111.110
> Aug 1 02:37:43 theranch last message repeated 2 times
> Aug 1 02:37:46 theranch sshd[56873]: error: PAM: authentication error for
> root from 218.87.111.110
> Aug 1 02:37:48 theranch last message repeated 2 times
> Aug 1 02:37:50 theranch sshd[56878]: error: PAM: authentication error for
> root from 218.87.111.110
> Aug 1 02:37:51 theranch last message repeated 2 times
> Aug 1 02:37:54 theranch sshd[56883]: error: PAM: authentication error for
> root from 218.87.111.110
> Aug 1 02:37:55 theranch last message repeated 2 times
> Aug 1 02:37:57 theranch sshd[56888]: error: PAM: authentication error for
> root from 218.87.111.110
> Aug 1 02:37:58 theranch last message repeated 2 times
> Aug 1 02:38:00 theranch sshd[56893]: error: PAM: authentication error for
> root from 218.87.111.110
> Aug 1 02:38:01 theranch last message repeated 2 times
> Aug 1 02:38:18 theranch sshd[56899]: error: PAM: authentication error for
> root from 218.87.111.110
> Aug 1 02:38:19 theranch last message repeated 2 times
> Aug 1 02:38:27 theranch sshd[56904]: error: PAM: authentication error for
> root from 218.87.111.110
> Aug 1 02:38:27 theranch last message repeated 2 times
> Aug 1 02:38:30 theranch sshd[56909]: error: PAM: authentication error for
> root from 218.87.111.110
> Aug 1 02:38:31 theranch last message repeated 2 times
> Aug 1 02:38:33 theranch sshd[56914]: error: PAM: authentication error for
> root from 218.87.111.110
> Aug 1 02:38:34 theranch last message repeated 2 times
> Aug 1 02:38:38 theranch sshd[56919]: error: PAM: authentication error for
> root from 218.87.111.110
> Aug 1 02:38:39 theranch last message repeated 2 times
> Aug 1 02:38:41 theranch sshd[56924]: error: PAM: authentication error for
> root from 218.87.111.110
> Aug 1 02:38:42 theranch last message repeated 2 times
> Aug 1 02:38:46 theranch sshd[56929]: error: PAM: authentication error for
> root from 218.87.111.110
> Aug 1 02:38:47 theranch last message repeated 2 times
> Aug 1 02:38:49 theranch sshd[56934]: error: PAM: authentication error for
> root from 218.87.111.110
> Aug 1 02:38:50 theranch last message repeated 2 times
> Aug 1 02:39:02 theranch sshd[56939]: error: PAM: authentication error for
> root from 218.87.111.110
> Aug 1 02:39:03 theranch last message repeated 2 times
> Aug 1 02:39:05 theranch sshd[56944]: error: PAM: authentication error for
> root from 218.87.111.110
> Aug 1 02:39:06 theranch last message repeated 2 times
> Aug 1 02:39:20 theranch sshd[56949]: error: PAM: authentication error for
> root from 218.87.111.110
> Aug 1 02:39:21 theranch last message repeated 2 times
> Aug 1 02:39:43 theranch sshd[56956]: error: PAM: authentication error for
> root from 218.87.111.110
> Aug 1 02:39:44 theranch last message repeated 2 times
> Aug 1 02:39:51 theranch sshd[56961]: error: PAM: authentication error for
> root from 218.87.111.110
> Aug 1 02:39:52 theranch last message repeated 2 times
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>

[Sshguard-users] Is sshguard working?

[<li...@la...>]

<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><style> body {  font-family: "Calibri","Slate Pro",sans-serif,"sans-serif"; color:#262626 }</style> </head> <body lang="en-US"><div>‎This is a sample of my auth.log or message log on freebsd using sshguard-ifpw. The user is blocked, but the attack keeps coming.</div><div>------------------</div><div><br></div><div><br></div><div></div><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:37:14 theranch sshd[56857]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:37:15 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:37:16 theranch sshguard[55685]: Offender '218.87.111.110:4' scored 40 danger in 1 abuses (threshold 40) -&gt; blacklisted.</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:37:16 theranch sshguard[55685]: Blocking 218.87.111.110:4 for &gt;0secs: 40 danger in 3 attacks over 1 seconds (all: 40d in 1 abuses over 1s).</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:37:38 theranch sshd[56863]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:37:39 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:37:41 theranch sshd[56868]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:37:43 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:37:46 theranch sshd[56873]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:37:48 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:37:50 theranch sshd[56878]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:37:51 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:37:54 theranch sshd[56883]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:37:55 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:37:57 theranch sshd[56888]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:37:58 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:38:00 theranch sshd[56893]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:38:01 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:38:18 theranch sshd[56899]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:38:19 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:38:27 theranch sshd[56904]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:38:27 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:38:30 theranch sshd[56909]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:38:31 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:38:33 theranch sshd[56914]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:38:34 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:38:38 theranch sshd[56919]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:38:39 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:38:41 theranch sshd[56924]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:38:42 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:38:46 theranch sshd[56929]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:38:47 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:38:49 theranch sshd[56934]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:38:50 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:39:02 theranch sshd[56939]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:39:03 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:39:05 theranch sshd[56944]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:39:06 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:39:20 theranch sshd[56949]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:39:21 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:39:43 theranch sshd[56956]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:39:44 theranch last message repeated 2 times</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:39:51 theranch sshd[56961]: error: PAM: authentication error for root from 218.87.111.110</span><br style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;"><span style="color: rgb(0, 0, 0); font-family: sans-serif; white-space: pre-wrap;">Aug  1 02:39:52 theranch last message repeated 2 times</span></body></html>

[Sshguard-users] SSHGuard 1.6.1 release announcement

[Kevin Z. <kev...@gm...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Greetings,

I am pleased to announce the release of SSHGuard 1.6.1 [1]. This
release is primarily a bugfix release that fixes a few late-breaking
issues from 1.6.0 while incorporating a few feature improvements. This
release was slightly delayed by a recent SourceForge outage.

Changes in this release include:

- - Accept "Received disconnect" with optional prefix
- - Add support for socklog entries
- - Fix 'ipfw-rules-range' option in configure script
- - Fix build for 'ipfw' and 'hosts' backends
- - Fix integer comparisons of different types
- - Match attacks when syslog debugging is enabled

Many thanks to the contributors who reported issues or sent in patches
to fix them. Special thanks to the FreeBSD community for reporting and
fixing a number of problems amended in this release.

As usual, please report any bugs, build failures, or other issues to
the mailing list or the Bitbucket tracker [2].

Very best,
Kevin Zheng

[1] https://sourceforge.net/projects/sshguard/files/sshguard/1.6.1/
[2] https://bitbucket.org/sshguard/sshguard/issues/

- -- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVvBvZAAoJEOrPD3bCLhCQmdMH/3g8gjEF67GUBX7VH+QpY2vQ
W2UYCbIln5z4VytYHMyykNcqTMkZCpnPnuQV+14IVrIUSfQp5fY3vYKL7xcTT3PC
canTMbuPsLPjdXsSFCtZjQetbuDrsGEDzXD82XV1ATHz41RknanSnq0GasRF7NZR
GpLN7gukNHhtzoSSca7fC/W9AUo1Ya0s9avIbkamm5PKfZ+ZQW1C6UaXOOshpTLb
8FQ1sbG9PozyN6ohEA2VnEMvcD8EdJ4sBTNdEPpehSj/SzRSkMvaVeQdq9yhnuQV
uC8q6aT76rhgu1CMMB/zxASND/mJyyDgWfkH0QxF+pRGR3SMehJENAkXesPZzgA=
=HFiX
-----END PGP SIGNATURE-----

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[Kevin Z. <kev...@gm...>]

On 07/24/2015 09:06, James Harris wrote:
> Currently I'm leaning towards writing some tools which can be used
> offline to analyse the blacklist. Make suggestions about blocking IP
> ranges and removing IPs from the blacklist which are contained in the
> ranges selected to be blocked. I would want to see promoting a few IPs
> to blocking a ranges works well before integrating such complexity into
> sshguard.

I think that's a good idea. And, you won't have to do it in C :p

Best,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[James H. <jam...@gm...>]

Currently I'm leaning towards writing some tools which can be used offline
to analyse the blacklist. Make suggestions about blocking IP ranges and
removing IPs from the blacklist which are contained in the ranges selected
to be blocked. I would want to see promoting a few IPs to blocking a ranges
works well before integrating such complexity into sshguard.

On Thu, Jul 23, 2015 at 4:47 PM, Kevin Zheng <kev...@gm...> wrote:

> On 07/24/2015 02:53, @lbutlr wrote:
> > If there were a reliable way to block all of russia and china, that
> > would be great. Heck, other than a few connections from Western
> > Europe and Africa I could safely block the rest of the world.
>
> Here's a list of CIDR blocks by country:
> http://www.ipdeny.com/ipblocks/
>
> You don't need SSHGuard to block these.
>
> > I would like to tune the behavior a bit (for example, attempts to ssh
> > as root should count for like 21 so that two attempts result in a
> > blacklist. (since I do not allow ssh access to the root account).
>
> This idea was thrown around on the mailing list a short while ago, but I
> haven't gotten around to start looking at it, yet. Most of the changes
> probably involve updating the lexer/parser to spit out the username (if
> available), but this is not as trivial as it sounds.
>
> Best,
> Kevin Zheng
>
> --
> Kevin Zheng
> kev...@gm... | ke...@kd... | PGP: 0xC22E1090
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>



-- 
James Harris
Software Engineer
jam...@gm...

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[Kevin Z. <kev...@gm...>]

On 07/24/2015 02:53, @lbutlr wrote:
> If there were a reliable way to block all of russia and china, that
> would be great. Heck, other than a few connections from Western
> Europe and Africa I could safely block the rest of the world.

Here's a list of CIDR blocks by country:
http://www.ipdeny.com/ipblocks/

You don't need SSHGuard to block these.

> I would like to tune the behavior a bit (for example, attempts to ssh
> as root should count for like 21 so that two attempts result in a
> blacklist. (since I do not allow ssh access to the root account).

This idea was thrown around on the mailing list a short while ago, but I
haven't gotten around to start looking at it, yet. Most of the changes
probably involve updating the lexer/parser to spit out the username (if
available), but this is not as trivial as it sounds.

Best,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[James H. <jam...@gm...>]

I had been looking at two idea, first blocking subnets when a certain
number of ips had been blocked. Thus replacing like 128 rules with one if
half of a class c was blocked.  Another option is to look up the AS of the
ips, and when enough bad guys from one AS show up just block all the IPs
there.  Many of these attackers can force a provider to give them another
IP but few go to the trouble of changing providers. I suspect blocking by
AS will have the same thing as blocking by country where these attacks most
often originate.

On Thu, Jul 23, 2015 at 12:52 PM, Greg Putrich <gr...@n0...> wrote:

> @lbutlr said:
> > If there were a reliable way to block all of russia and china, that
> would be great. Heck, other than a few connections from Western Europe and
> Africa I could safely block the rest of the world.
> >
> > I would like to tune the behavior a bit (for example, attempts to ssh as
> root should count for like 21 so that two attempts result in a blacklist.
> (since I do not allow ssh access to the root account).
>
> Can find networks in China & North Korea at:
> http://okean.com
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>



-- 
James Harris
Software Engineer
jam...@gm...

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[Greg P. <gr...@n0...>]

@lbutlr said:
> If there were a reliable way to block all of russia and china, that would be great. Heck, other than a few connections from Western Europe and Africa I could safely block the rest of the world.
> 
> I would like to tune the behavior a bit (for example, attempts to ssh as root should count for like 21 so that two attempts result in a blacklist. (since I do not allow ssh access to the root account).

Can find networks in China & North Korea at:
http://okean.com

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[@lbutlr <kr...@kr...>]

> On Jul 23, 2015, at 7:39 AM, Willem Jan Withagen <wj...@di...> wrote:
> 
> On 23/07/2015 15:20, Kevin Zheng wrote:
>> On 07/23/2015 18:24, @lbutlr wrote:
>>> the behavior has changed since yesterday. Over 1200 IPs are listed in
>>> /etc/hosts.deny and /etc/hosts.allow is empty. Something else is
>>> going on here, right?
>> 
>> I'm not very familiar with the 'hosts' backend, so I'm not sure. I
>> believe SSHGuard should only be making changes to one file, which is set
>> at compile time.
>> 
>> I'd be interested to hear if you find out what's going on.
> 
> It is normal to dump everything into /etc/hosts.deny, as is suggested in
> the header in /etc/hosts.deny…

There were no headers at all in the host.deny file, and the file has not been recreated since yesterday (but it was modified at the same time as hosts.allow)

> It now can go all in the same file.

Yes, which is why I found the list of IPS in hosts.deny odd since everything should be in Hosts.allow.

> And on those servers I manually blacklist C-nets(/24) (mostly
> russian/asian) which have more than a 10-15%% coverage. so if more that
> 32 ipnrs in a segment try to abuse the system, I don't wait, I just
> block the whole C-net.

If there were a reliable way to block all of russia and china, that would be great. Heck, other than a few connections from Western Europe and Africa I could safely block the rest of the world.

I would like to tune the behavior a bit (for example, attempts to ssh as root should count for like 21 so that two attempts result in a blacklist. (since I do not allow ssh access to the root account).

Whatever oddness there was hasn’t recurred so far.

-- 
Realizing the importance of the case, my men are rounding up twice the
usual number of suspects.

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[Willem J. W. <wj...@di...>]

On 23/07/2015 15:20, Kevin Zheng wrote:
> On 07/23/2015 18:24, @lbutlr wrote:
>> the behavior has changed since yesterday. Over 1200 IPs are listed in
>> /etc/hosts.deny and /etc/hosts.allow is empty. Something else is
>> going on here, right?
> 
> I'm not very familiar with the 'hosts' backend, so I'm not sure. I
> believe SSHGuard should only be making changes to one file, which is set
> at compile time.
> 
> I'd be interested to hear if you find out what's going on.

It is normal to dump everything into /etc/hosts.deny, as is suggested in
the header in /etc/hosts.deny...
It now can go all in the same file.

The fact is that 1200 addresses seems a lot, but I have servers with
over 8000 blacklisted ipnrs.

And on those servers I manually blacklist C-nets(/24) (mostly
russian/asian) which have more than a 10-15%% coverage. so if more that
32 ipnrs in a segment try to abuse the system, I don't wait, I just
block the whole C-net.

--WjW

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[Kevin Z. <kev...@gm...>]

On 07/23/2015 18:24, @lbutlr wrote:
> SSHGuard version sshguard-1.5_12

The latest version from ports is 1.6.0.

> whitelist: add '230.240.250.260' as plain IPv4. whitelist: add plain
> IPv4 230.240.250.260. whitelist: add '230.240.250.261' as plain
> IPv4. whitelist: add plain IPv4 230.240.250.261. whitelist: add
> '127.0.0.1' as plain IPv4. whitelist: add plain IPv4 127.0.0.1. 

Are the correct addresses whitelisted?

> the behavior has changed since yesterday. Over 1200 IPs are listed in
> /etc/hosts.deny and /etc/hosts.allow is empty. Something else is
> going on here, right?

I'm not very familiar with the 'hosts' backend, so I'm not sure. I
believe SSHGuard should only be making changes to one file, which is set
at compile time.

I'd be interested to hear if you find out what's going on.

Thanks,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[@lbutlr <kr...@kr...>]

On Jul 22, 2015, at 8:58 PM, Kevin Zheng <kev...@gm...> wrote:
> env SSHGUARD_DEBUG=yes sshguard -b 40:/var/db/sshguard/blacklist.db -l
> /var/log/auth.log -l /var/log/maillog -a 40 -p 420 -s 1200 -w
> /usr/local/etc/sshguard.whitelist -i /var/run/sshguard.pid

SSHGuard version sshguard-1.5_12

Adding '/var/log/auth.log' to polled files.
Registering events.
Setting 2 events for 1 (act+inact) files.
File '/var/log/auth.log' added, fd 4, serial 5297173.
Adding '/var/log/maillog' to polled files.
Registering events.
Setting 4 events for 2 (act+inact) files.
File '/var/log/maillog' added, fd 5, serial 5297154.
whitelist: add '230.240.250.260' as plain IPv4.
whitelist: add plain IPv4 230.240.250.260.
whitelist: add '230.240.250.261' as plain IPv4.
whitelist: add plain IPv4 230.240.250.261.
whitelist: add '127.0.0.1' as plain IPv4.
whitelist: add plain IPv4 127.0.0.1.
Blacklist loaded, blocking 56 addresses.
…

the behavior has changed since yesterday. Over 1200 IPs are listed in /etc/hosts.deny and /etc/hosts.allow is empty. Something else is going on here, right?

sshguard 1.5.0

Copyright (c) 2007,2008 Mij <mi...@ss...>
This is free software; see the source for conditions on copying.


I’ve removed the hosts.deny file and started sshguard again:

 $ cat hosts.allow 
###sshguard###
ALL : 200.114.65.111 45.114.11.16 111.207.126.80 45.114.11.34 190.60.31.107 218.65.30.92 218.65.30.23 122.243.249.122 : DENY
ALL :  2.115.68.148 198.252.66.108 125.69.80.32 218.65.30.73 82.208.235.94 183.60.175.149 182.100.67.114 61.36.33.233 : DENY
ALL :  45.114.11.13 218.87.111.116 218.26.243.138 113.11.197.233 193.201.227.30 218.65.30.217 58.218.211.166 221.179.89.90 : DENY
ALL :  218.65.30.61 218.87.109.60 119.147.47.94 190.9.130.71 182.100.67.112 219.229.222.4 62.210.7.160 113.195.145.12 : DENY
ALL :  45.114.11.41 45.114.11.29 23.91.120.48 45.114.11.39 184.168.119.160 91.199.151.85 45.114.11.51 218.200.188.213 : DENY
ALL :  198.58.95.66 109.169.74.58 14.63.161.216 193.107.17.72 182.100.67.102 45.55.76.112 162.250.126.81 218.87.111.110 : DENY
ALL :  103.17.107.18 193.104.41.53 45.114.11.14 23.21.125.218 71.245.177.204 45.114.11.28 191.235.188.206 45.114.11.26 : DENY
ALL :  : DENY
###sshguard###

This time, my home IP is not listed there, and many IPs are listed which show up in /var/log/auth.log trying to ssh as the root user, so that’s good.

I’m going to keep an eye on it, and restore the rests of hosts.allow from the backup.

Jul 23 02:44:04 mail sshguard[3339]: Offender '200.114.65.111:4' scored 40 danger in 1 abuses (threshold 40) -> blacklisted.
Jul 23 02:44:04 mail sshguard[3339]: Blocking 200.114.65.111:4 for >0secs: 40 danger in 4 attacks over 757 seconds (all: 40d in 1 abuses over 757s).

-- 
'It's still a lie. Like the lie about masks.' 'What lie about masks?'
'The way people say they hide faces.' 'They do hide faces,' said Nanny
Ogg. 'Only the one on the outside.' --Maskerade

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[Kevin Z. <kev...@gm...>]

On 07/21/2015 16:23, @lbutlr wrote:
> I have my home fixed IP set int he whitelist or sshguard but when I
> was unable to login to the server remotely this weekend, I discovered
> that that IP had been added to the top of /etc/hosts.allow with a
> DENY.

I still can't seem to reproduce your issue. Could you please run this
from the command line and see if you spot any interesting output?

env SSHGUARD_DEBUG=yes sshguard -b 40:/var/db/sshguard/blacklist.db -l
/var/log/auth.log -l /var/log/maillog -a 40 -p 420 -s 1200 -w
/usr/local/etc/sshguard.whitelist -i /var/run/sshguard.pid

In particular, pay attention to the first few lines that read from your
whitelist. Are those the IPs you expected?

Thanks,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[LuKreme <kr...@kr...>]

On Jul 22, 2015, at 18:56, Kevin Zheng <kev...@gm...> wrote:
> 
> what version of SSHGuard?

Oh, and by "current" I mean "current in ports" if that matters.

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[LuKreme <kr...@kr...>]

> On Jul 22, 2015, at 18:56, Kevin Zheng <kev...@gm...> wrote:
> 
> Sorry for the belated response, but I'm still looking at your problem.
> I'm having a hard time reproducing the issue. What operating system are
> you using, and what version of SSHGuard?

FreeBSD 9.2. I'll have to double check the version of ssh guard when I go in tomorrow to unblacklist myself, but it is current within the last two or three months at the outside. Probably much more recently than that.

I did delete the db file for ssh guard before I launched it last, hoping that would eliminate the issue,

Will also check logs tomorrow for anything of interest.

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[Kevin Z. <kev...@gm...>]

On 07/23/2015 08:48, @lbutlr wrote:
> Anyone?

Sorry for the belated response, but I'm still looking at your problem.
I'm having a hard time reproducing the issue. What operating system are
you using, and what version of SSHGuard?

Best,
Kevin Zheng

-- 
Kevin Zheng
kev...@gm... | ke...@kd... | PGP: 0xC22E1090

Re: [Sshguard-users] blacklisting IPs that are whitelisted

[@lbutlr <kr...@kr...>]

Anyone?

> On Jul 21, 2015, at 2:23 AM, @lbutlr <kr...@kr...> wrote:
> 
> I have my home fixed IP set in the whitelist for sshguard but when I was unable to login to the server remotely this weekend, I discovered that that IP had been added to the top of /etc/hosts.allow with a DENY.

Typos fixed.

My IP has been blacklisted again today. Still listed in the whitelist file.

-- 
Realizing the importance of the case, my men are rounding up twice the
usual number of suspects.

[Sshguard-users] blacklisting IPs that are whitelisted

[@lbutlr <kr...@kr...>]

I have my home fixed IP set int he whitelist or sshguard but when I was unable to login to the server remotely this weekend, I discovered that that IP had been added to the top of /etc/hosts.allow with a DENY.

when running, sshgiard shows up:

/usr/local/sbin/sshguard -b 40:/var/db/sshguard/blacklist.db -l /var/log/auth.log -l /var/log/maillog -a 40 -p 420 -s 1200 -w /usr/local/etc/sshguard.whitelist -i /var/run/sshguard.pid

/usr/local/etc/sshguard.whitelist contains IP addresses, one per line:

230.240.250.260
230.240.250.261
260.1.2.5
etc

I just started up sshguard and again, it blacklisted my IP.

$ head -3 /etc/hosts.allow 
###sshguard###
ALL : 230.240.250.260 : DENY
###sshguard###
$ cat /usr/local/etc/sshguard.whitelist 
230.240.250.260
230.240.250.261
260.1.2.5

(obviously those are not real IPs, but the two IPs *are* identical)

-- 
Realizing the importance of the case, my men are rounding up twice the
usual number of suspects.